__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Cumulative Patch for Internet Explorer [Microsoft Security Bulletin MS02-047] August 23, 2002 19:00 GMT Number M-116 ______________________________________________________________________________ PROBLEM: There are six new vulnerabilities in Internet Explorer. * Buffer overrun in Gopher protocol handler * Buffer overrun in ActiveX control * XML file reading via Redirect * File origin spoofing * Cross domain verification in Object tag * Cross-Site scripting variant in Local HTML Resource A description of each vulnerability, if exploitable, is provided within Microsoft's Security bulletin. AFFECTED Internet Explorer 5.01, 5.5, and 6.0. SOFTWARE: DAMAGE: The aggregate of severity is based on the types of systems affected by the vulnerability, their deployment patterns, and the effect that exploiting the vulnerability would have on them. SOLUTION: Apply appropriate patch for appropriate Internet Explorer version as prescribed by Microsoft. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The most serious vulnerability could enable ASSESSMENT: an attacker to execute commands on a user's system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-116.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS02-047.asp PATCHES: http://www.microsoft.com/windows/ie/downloads/critical /q323759ie/default.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-047 *****] Cumulative Patch for Internet Explorer (Q323759) Originally posted: August 22, 2002 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer Impact of vulnerability: Six new vulnerabilities, the most serious of which could enable an attacker to execute commands on a user’s system. Maximum Severity Rating: Critical Recommendation: Customers should install the patch immediately. Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Technical details Technical description: This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities: A buffer overrun vulnerability affecting the Gopher protocol handler. This vulnerability was originally discussed in Microsoft Security Bulletin MS02-027, which provided workaround instructions while the patch provided here was being completed. A buffer overrun vulnerability affecting an ActiveX control used to display specially formatted text. The control contains a buffer overrun vulnerability that could enable an attacker to run code on a user’s system in the context of the user. A vulnerability involving how Internet Explorer handles an HTML directive that displays XML data. By design, the directive should only allow XML data from the web site itself to be displayed. However, it does not correctly check for the case where a referenced XML data source is in fact redirected to a data source in a different domain. This flaw could enable an attacker’s web page to open an XML-based files residing a remote system within a browser window that the site could read, thereby enabling the attacker to read contents from websites that users had access to but the attacker was not able to navigate to. A vulnerability involving how Internet Explorer represents the origin of a file in the File Download Dialogue box. This flaw could enable an attacker to misrepresent the source of a file offered for download in an attempt to fool users into accepting a file download from an untrusted source believing it to be coming from a trusted source. A Cross Domain verification vulnerability that occurs because of improper domain checking in conjunction with the Object tag. As a result, the vulnerability could enable a malicious web site operator to access data across different domains, for example one in a web site’s domain and the other on the user’s local file system and then pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be viewed n a browser window. In addition, this can also enable an attacker to invoke, but not pass parameters to, an executable on the local system, much like the "Local Executable Invocation via Object tag" vulnerability discussed in MS02-015. A newly reported variant of the "Cross-Site Scripting in Local HTML Resource" vulnerability originally discussed in Microsoft Security Bulletin MS02-023. Like the original vulnerability, this variant could enable an attacker to create a web page that, when opened, would run in the Local Computer zone, allowing it to run with fewer restrictions than it would in the Internet Zone. In addition, the patch sets the Kill Bit on the MSN Chat ActiveX control discussed in Microsoft Security Bulletin MS02-022 as well as the TSAC ActiveX control discussed in Microsoft Security Bulletin MS02-046. This has been done to ensure that vulnerable controls cannot be introduced onto users’ systems. Customers who use the MSN Chat control should ensure that they have applied the updated version of the control discussed in MS02-022 and customers who use the TSAC control should ensure that they have applied the updated version of the control discussed in MS02-046 . Mitigating factors: Buffer Overrun in Gopher Protocol Handler: - The vulnerability would provide the attacker with user’s own privileges on the system. Customers who run with fewer than full privileges on the system would therefore be at lower risk. Buffer Overrun in Legacy Text Formatting ActiveX Control: - The vulnerable ActiveX control is not installed by default as part of a current version of IE. Upon learning of the vulnerability, Microsoft removed the download from its site to minimize the likelihood that users would have the control on their systems. - The vulnerability would provide the attacker with the user’s own privileges on the system. Customers who run with fewer than full privileges on the system would therefore be at lower risk. - Customers who use Outlook Express 6.0 or Outlook 2002 (or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update) would by default by protected against email-borne attacks via this vulnerability unless they specifically clicked a link within the email message. XML File Reading via Redirect: - The vulnerability only provides a capability to read XML-based files that they know the complete path to. - The vulnerability could not be used to add, change or delete files. - Customers who use Outlook Express 6.0 or Outlook 2002 (or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update) would by default by protected against email-borne attacks via this vulnerability. File Origin spoofing: - The vulnerability does not give an attacker the means to place or run executables directly on the system: user interaction is required in a successful attack. Cross Domain Verification in Object Tag: - The vulnerability would not enable the attacker to pass any parameters to an executable program. - Microsoft is not aware of any programs installed by default in any version of Windows that, when called with no parameters, could be used to compromise the system. - An attacker could only invoke a file on the victim’s local machine. The vulnerability could not be used to execute a program on a remote share or web site. - The vulnerability would not provide any way for an attacker to put a program of his choice onto another user’s system. - An attacker would need to know the name and location of any file on the system to successfully invoke it. - The vulnerability could only be used to view or invoke files. It could not be used to create, delete, or modify them. - The vulnerability would only allow an attacker to read files that can be rendered in a browser window, such as image files, HTML files and text files. Other file types, such as binary files, executable files, Word documents, and so forth, could not be read. - Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks. Variant of Cross-Site Scripting in Local HTML Resource: - Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from automated email-borne attacks. However, these customers can still be attacked if they choose to click on a hyperlink in a malicious HTML email. - Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text" feature would be immune from the HTML email attack. This is because this feature disables all HTML elements, including scripting, from mail when it is displayed. - Any limitations on the rights of the user's account would also limit the actions of the attacker's script. - Customers who exercise caution in what web sites they visit or who place unknown or untrusted sites in the Restricted Sites zone can potentially protect themselves from attempts to exploit this issue on the web. Severity Rating: Buffer Overrun in Gopher Protocol Handler: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Low Low Critical Internet Explorer 5.5 Low Low Critical Internet Explorer 6.0 Low Low Critical Buffer Overrun in Legacy Text Formatting ActiveX Control: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Low Low Critical Internet Explorer 5.5 Low Low Critical Internet Explorer 6.0 Low Low Critical XML File Reading via Redirect: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Low Low Moderate Internet Explorer 5.5 Low Low Moderate Internet Explorer 6.0 Low Low Moderate File Origin Spoofing: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Moderate Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate Cross Domain Verification in Object Tag: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 None None None Internet Explorer 5.5 Moderate Moderate Critical Internet Explorer 6.0 Moderate Moderate Critical Variant of Cross-Site Scripting in Local HTML Resource: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Low Low Moderate Internet Explorer 5.5 Low Low Moderate Internet Explorer 6.0 None None None Aggregate Severity of all issues included in this patch (including issues addressed in previously released patches): Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Critical Internet Explorer 5.5 Critical Critical Critical Internet Explorer 6.0 Critical Critical Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifiers: - Buffer Overrun in Gopher Protocol Handler: CAN-2002-0646 - Buffer Overrun in Legacy Text Formatting ActiveX Control: CAN-2002-0647 - XML File Reading via Redirect: CAN-2002-0648 - File Origin Spoofing: CAN-2002-0722 - Cross Domain Verification in Object Tag: CAN-2002-0723 - Variant of Cross-Site Scripting in Local HTML Resource: CAN-2002-0691 Tested Versions: The following table indicates which of the currently supported versions of Internet Explorer are affected by the vulnerabilities. Versions of IE prior to 5.01 Service Pack 2 are no longer eligible for hotfix support. IE 5.01 SP2 is supported only on Windows® 2000. IE 5.01 IE 5.5 IE 5.5 IE 6.0 SP2 SP1 SP2 SP1 Buffer Overrun in Gopher Yes Yes Yes Yes Protocol Handler (CAN-2002-0646) Buffer Overrun in Legacy Text Yes Yes Yes Yes Formatting ActiveX Control (CAN-2002-0647) XML File Reading via Redirect Yes Yes Yes Yes (CAN-2002-0648) File Origin Spoofing Yes Yes Yes Yes (CAN-2002-0722): Cross Domain Verification No Yes Yes Yes in Object Tag (CAN-2002-0723) Variant of Cross-Site Yes Yes Yes No Scripting in Local HTML Resource (CAN-2002-0691) Patch availability Download locations for this patch http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp Additional information about this patch Installation platforms: The IE 5.01 patch can be applied to Windows 2000 Systems with Service Pack 2 running IE 5.01 or with Service Pack 3 running IE 5.01. The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack 1 or Service Pack 2. The IE 6.0 patch can be installed on system running IE 6.0 Gold. Inclusion in future service packs: The fixes for these issues will be included in IE 6.0 Service Pack 1. The fixes for the issues affecting IE 5.01 Service Pack 2 and Service Pack 3 will be included in Windows 2000 Service Pack 4. Reboot needed: Yes Patch can be uninstalled: No Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS02-023, which is itself a cumulative patch, and the workaround discussed in Microsoft Security Bulletin MS02-027. Verifying patch installation: To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q323759 is listed in the Update Versions field. To verify the individual files, use the patch manifest provided in Knowledge Base article Q323759. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks the following people for working with us to protect customers: GreyMagic Software for reporting the XML File Reading via Redirect vulnerability. Mark Litchfield of Next Generation Security Software Ltd. for reporting the Buffer Overrun in Legacy Text Formatting ActiveX Control vulnerability. Jouko Pynnonen of Oy Online Solutions Ltd for reporting the File Origin Spoofing vulnerability. Support: Microsoft Knowledge Base article Q323759 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (August 22, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-047 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-106: Cisco Concentrator RADIUS PAP Authentication Vulnerability M-107: Unchecked Buffer in Content Management Server M-108: Vulnerability in HP Apache Server PHP M-109: Common Desktop Environment (CDE) ToolTalk Buffer Overflow M-110: Buffer Overflow in Multiple Domain Name System (DNS) Libraries M-111: Integer Overflow in External Data Representation (XDR) Library M-112: Microsoft Cumulative Patch for SQL Server M-113: Microsoft Network Connection Manager (NCM) Flaw Could Enable Privilege Elevation M-114: Apache 2.0 Path Disclosure Vulnerability M-115: Novell NetWare 6.0 RConsoleJ Authentication Bypass Vulnerability